I have a simple C# windows form which acts as a login, but also has a form to change the password of a user.
When you click on Change Password the form loads with a text box of current password, new pass and confirm new pass, and one save button.
I have stored username in label so that current password can be checked if it is valid from database or not.
I am storing these in a table which I created in Microsoft SQL Server 2008.
The code is as follows so far.
SqlConnection connect = new SqlConnection(str);
connect.Open();
string username = label_username.Text;
string password = textBox_Current.Text;
string newPassword = textBox_New.Text;
string confirmPassword = textBox_Verify.Text;
string sqlquery = "UPDATE [Member] SET Password=@newpass where Username=@username";
SqlCommand cmd = new SqlCommand(sqlquery, connect);
cmd.Parameters.AddWithValue("@newpass", textBox_Verify.Text);
cmd.Parameters.AddWithValue("@username", label_username.Text);
cmd.Parameters.AddWithValue("@password", textBox_Current.Text);
cmd.Connection = connect;
cmd.ExecuteNonQuery();
sqlDataReader reader = null;
reader = cmd.ExecuteReader();
while (reader.Read())
{
if ((textBox_New.Text == reader["newPassword"].ToString()) & (textBox_Verify.Text == (reader["confirmPassword"].ToString()))) { }
}
MessageBox.Show("Password Changed Successfully!");
this.Close();
While executing above code, password change but I want to:
- check validation like if the user had typed wrong password in current password.
- newpassword and confirm password .
- when user click on first save bottom blank password should not store in database, rather should give message 'please type the password'
How can this be done?
You really should not be storing these passwords in plain text. You should hash the password and store the hash. Then if you want to check if a password is correct hash the password the user typed and compare it to the hash stored for the user.
But, it sounds like you need help getting a value out of the database for the current user. Putting something like this in there, ought to do this for you. Please note that like I said above, this should really be retrieving a hash of the password, not the actual password in plain text.
string sqlquery = "SELECT Password FROM [Member] where Username=@username";
SqlCommand cmd = new SqlCommand(sqlquery, connect);
cmd.Parameters.AddWithValue("@username", label_username.Text);
cmd.Connection = connect;
string currentPassword = (string)cmd.ExecuteScalar();
if (currentPassword == textBox_Current.Text)
{
// PASSWORD IS CORRECT, CHANGE IT, NOW.
} else {
// WOW EASY BUDDY, NOT SO FAST
}
First you should use password hashing in your application, thus the password fields of the database should hold the hashed values.
Assuming this, to accomplish your goals,
- consider your string username -> Hash it -> write a query to check whether that hashed value and the user's password's hash value stored in the database is the same
- consider string password and string newPassword in your code -> Hash both -> check whether the hash values are the same
- consider string password and string newPassword -> check whether each is null or the length is 0
Also you should perform these tasks in the following order:
1 -> 3 -> 2
Hope this helps...
protected void btn_PasswordChange(object sender, EventArgs e)
{
string constring = DataAccess.GetConnection();
SqlConnection con = new `SqlConnection`(constring);
{
if (con.State != ConnectionState.Open)
con.Open();
}
string str = "select * from tbl_MemberLogin where Password='" + txtoldpwd.Text + "'";
DataTable DT = new DataTable();
DT = objdut.GetDataTable(str);
if (DT.Rows.Count == 0)
{
lblmsg.Text = "Invalid current password";
lblmsg.ForeColor = System.Drawing.Color.Red;
}
else
{
SqlCommand cmd = new SqlCommand();
cmd.CommandText = "update tbl_MemberLogin set Password='" + txtnewpwd.Text + "' where UserName='" + Session["UserName"].ToString() + "'";
cmd.ExecuteNonQuery();
lblmsg.Text = "Password changed successfully";
lblmsg.ForeColor = System.Drawing.Color.Green;
}
}
来源:https://stackoverflow.com/questions/6514823/validating-and-changing-a-users-password